Slashdot Mirror
Newly-Found Windows Bug Affects All Versions Since NT
garg0yle writes "A researcher has found a security bug that could allow privilege escalation in Windows. Nothing new there, right? Well, this affects the Virtual DOS Machine, found in every 32-bit version of Windows all the way back to Windows NT. That's 17 years worth of Windows and counting. 'Using code written for the VDM, an unprivileged user can inject code of his choosing directly into the system's kernel, making it possible to make changes to highly sensitive parts of the operating system. ... The vulnerability exists in all 32-bit versions of Microsoft OSes released since 1993, and proof-of-concept code works on the XP, Server 2003, Vista, Server 2008, and 7 versions of Windows, Ormandy reported.'"
Cue "Windows Sucks" comments in 5, 4, 3, 2, 1....
Every time I read about one of these long-undiscovered instant pwn bugs, I always have to wonder if there's someone sitting deep underground in an NSA computer center saying "Well shit, looks like we'll not be using that exploit anymore."
Is this a hole nobody knew about or a hole nobody but the people who knew about it knew about, and those people weren't talking?
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
Yet another driving factor for using the 64-bit editions of Windows (or something completely different from Windows altogether!).
This is the cost of backward compatibility at the expense of everything else. That is what made Microsoft and that is what may break it.
This space for rent.
This bug was discovered by Tavis Ormandy.
Tavis, you need a girlfriend.
Nope, Linux can't even run a simple app that will run on every version of NT since 1993. Some OS Linux is.
"I use a Mac because I'm just better than you are."
Yet another reason people need to abandon 32-bit OSs. Seriously. What's the point of using half the power of your CPU?
For those who seek perfection there can be no rest on this side of the grave.
From the RFA: "He said he informed Microsoft security employees of the vulnerability in June".
So, Microsoft could at least have fixed this in Windows 7 (according to Wikipedia: "released to manufacturing on July 22, 2009").
Browsers shouldn't have a back button!! It's all about going forward...
Linux has it's own version of such bugs. Yes, even with the 'many eyes' looking at the source, it does happen, F/OSS is no panacea.
From http://news.zdnet.com/2100-9595_22-332141.html
A hole has been found in Linux kernel versions stretching back eight years that is 'as trivial as it can get to exploit', according to the Google employees who discovered it.
Julien Tinnes and Tavis Ormandy, the security researchers who discovered the vulnerability, have already issued a patch for the flaw. According to a blog post written by Tinnes on Thursday, the hole "affects all 2.4 and 2.6 kernels since 2001 on all architectures", and is "the public vulnerability affecting the greatest number of kernel versions".
This space for rent.
Good job I run W7 64-bit then I guess. I remember when I tried using XP64, what a pile of crap that was. I'm glad they have sorted the compatibility issues in newer releases.
I am a leaf on the wind, watch how I soar.
In particular, if that could be used to turn the "safe" IE8 into something unsafe could lead into more governments asking their citizens to stop using IE, any version of it.
Ormandy said the security hole can easily be closed by turning off the MSDOS and WOWEXEC subsystems. The changes generally don't interfere with most tasks since they disable rarely-used 16-bit applications. He said he informed Microsoft security employees of the vulnerability in June.
So, to be clear, is this only about 32-bit Windows builds then?
64-bit Windows doesn't even support running 16-bit applications. And that's what WOWEXEC is all about. However, I'm less sure about this "MSDOS" subsystem in 64-bit builds? What's that for, anyway? The console emulation?
Beware: In C++, your friends can see your privates!
just like NT cant run nix apps made in the 70's some OS NT is
Don't be a twit
it looks Like one more reason to switch to 64bit to me. I have been using 64bit since Vista. Now I am glad I made the switch. and since the oem keys for vista and 7 are good for both the 32bit and 64bit versions the only excuse for not going 64bit is laziness (assuming you have a 64bit processor) I have yet to find a 32bit program that doesn't run on my 64bit machine.
there are 10 types of people in this world, those who read binary and those who don't. which are you!
I guess windows 7 sales were a bit sluggish, so here comes a new bug they can fix in windows 8.
Sure it can- Wine. I've had surprisingly good luck running Windows apps natively on Linux (ie. not in a virtual machine or emulator).
What about the PowerPC version of NT? That's 32-bit too. And of course the DEC Alpha version is 64-bit, so it can't have that exploit.
Slashdot makes me sick. It's just not fair to go digging 14 years prior to the date when Microsoft finally starting taking security seriously.
Rich And Stupid is not so bad as Working For Rich And Stupid.
So much for 'nobody writes hacks for old stuff anymore, if we just keep running NT we'll never get hacked' Sounded good at the time.
That's not an equivalent bug, because it affects all architectures. This bug is in some architecture-specific code for running the VM86 mode on IA32 chips. It doesn't affect NT 4 on Alpha, PowerPC, or MIPS, or any more recent versions on x86-64 or IA64.
I am TheRaven on Soylent News
I don't know about you, but I don't want all those unemployed former MS-programmers to get down to Linux.
I'm helping to keep the Linux codebase clean and pragmatic by running Windows once in a while and giving a false sense of userdemand.
But seriously though, I have seen alot of "opensource windows clones", they all look like clowns to me in usability and aesthetics.
Actually, I was just messing around. I'm kind of suprised it took someone this long to find a vulnerability in wowexec. I'm sure MS is not even thinking much about this, yet pretty much any program can have the possiblity of a buffer overrun or some sort of registry memory shift.
I found it funny that the Google ad displayed next to the article was for Microsoft forefront touting the security features.
http://www.perfectreign.com/stuff/2010/forefront.jpg
The Kai's Semi-Updated Website Thingy
Last I checked WINE doesn't virtualize DOS.
I've heard that coders at Microsoft don't code, and they don't go looking for bugs in old products especially. Afterall, that code is done and (to quote Blogovich) is F*ckin' golden! The only way MS code is checked is by reverse engineering by independent firms. BTW, that appears to be a violation of the EULA. How do they get ever away with this. F*ckin do gooder's, poking their nose into someone else's business!
Anyone still running only 32-bit Windows deserves the vulnerability. This is just one more reason why people should be upgrading to 64-bit.
I always wondered by PEEK and POKE still worked in QBASIC.
The difference is how much faster it was fixed once it was discovered, and how much less work and money that it takes to run a new version of Linux. Switching from a vulnerable Win2K or NT to 7 is a VERY costly endeavor. Switching to a new version of Linux is not nearly as big of an undertaking.
My blog. Good stuff (when I remember to update it). Read it.
Interesting co-incidence that you should bring up that example. Tavis Ormandy, one of those who discovered the Linux kernel bug you mentioned, was also the one who posted the details on the Windows 16bit VDM bug that we're discussing here to Full Disclosure yesterday. I guess he must like his code to be covered in cobwebs or something...
UNIX? They're not even circumcised! Savages!
Vulnerability applies to 32-bit Microsoft Windows operating systems with Windows NT 3.5 heritage.
Vulnerability arises from ancient coding or design flaws in the MS-DOS execution subsystem. This subsystem is not present in 64-bit Windows OSs.
The workaround is to disable the MS-DOS subsystem.
Great article at the SANS Institute Internet Storm Center: http://isc.sans.org/diary.html?storyid=8023. This includes links to Youtube videos on how to use Windows Group Policy tools to disable this subsystem.
However, once you do this, you won't be able to run 16-bit DOS-based software, so if you really need that you may have to wait for a patch. Or build a dedicated DOS machine, where at least you'll have no illusions of security. (Cynics would say this is true of any MS operating system, but I leave that debate to others.)
Welcome to the Panopticon. Used to be a prison, now it's your home.
Wine enumlates dos now? Hmm.
Of course, your own phrase illuminates the problem. I don't want to rely on "suprisingly good luck" to run applications.
Clearly, you don't have an ATI video card, do you?
I seem to recall demo-coders bragging about using a local priv. escalation bug in the VDM to "break out" of 16-bit DOS code at least 3-4 years back.. Anyone remember?
This isn't a "Newly-found" bug. It was discoverd and reported to Microsoft on 12-Jun-2009. Not sure what's worse: An OS vendor whom doesn't patch holes quickly or a blog editor whom is clueless and uses inaccurate headlines to waste readers time.
Last time I checked, Wine didn't even fully implement Win32.
...the German and French governments advise their citizens against using Windows altogether, not just Internet Explorer.
"As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch."
So, er, why isn't there a link telling us punters how to disable the WOWEXEC and MSDOS subsystems off? Enquiring minds wish to know...
from Tavis Ormandy's disclosure
So the bug was found six months ago, but Microsoft only decided it was serious enough to fix after it was publicized. Seems like another case of "responsible disclosure" being used to cover up a vulnerability, instead of fixing it (or publishing a workaround) before the bad guys find out about it.
You will never be able to review the source code of your windows OS.
All you have to be is Chinese Government. That is all. You think the Google hack was found by relentless probing of defenses of the WinOS? Or did they have to just grep through the WinOS source code for things like strcpy()?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Windows 98SE rules!
Is this a hole nobody knew about or a hole nobody but the people who knew about it knew about, and those people weren't talking?
The only public figure in American society who had anything remotely insightful to say in the last twenty years or so:
.
.
Wine doesn't have to. There are other applications that virtualize DOS. They seem to do better than XP does at it too.
A Pirate and a Puritan look the same on a balance sheet.
Linux has it's own version of such bugs. Yes, even with the 'many eyes' looking at the source, it does happen, F/OSS is no panacea.
From http://news.zdnet.com/2100-9595_22-332141.html
A hole has been found in Linux kernel versions stretching back eight years that is 'as trivial as it can get to exploit', according to the Google employees who discovered it.
Julien Tinnes and Tavis Ormandy, the security researchers who discovered the vulnerability, have already issued a patch for the flaw. According to a blog post written by Tinnes on Thursday, the hole "affects all 2.4 and 2.6 kernels since 2001 on all architectures", and is "the public vulnerability affecting the greatest number of kernel versions".
Eight year is a pretty 'good' record, but Windows still wins by 7 more (NT3.5 released in 1994, more or less the time of release of Linux 1.0). Also notice that then Linux bug was fixed almost contextually with its report, whereas the one this article is about has not not been fixed 6 months+ after the report was acknowledged. This is where open source wins.
"I'm never quite so stupid as when I'm being smart" (Linus van Pelt)
ATI makes crap binary blob drivers. Whether or not you are updating your kernel has little bearing on this.
Of course if you follow the recommendations of Windows-centric hardware review sites, you don't won't have this problem. '-p
A Pirate and a Puritan look the same on a balance sheet.
If this was a ruse to get me to dump them, spend money, go to the hassle of upgrading the O/S and very likely having to replace a whole load of hardware and applications, then sorry guys. You've failed.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
If you want to run MS DOS apps use dosemu or dosbox. In fact do this in 32bit Windows as well...
Analogies don't equal equalities, they are merely somewhat analogous.
No, ignore the problem after all there is plenty of randomness available in Ubuntu. Randomly qualified maintainers fiddling with other randomly qualified maintainer's fiddling of the original maintainer's code. Nothing wrong what so ever with packaging in meta Linux distros...
I've always assumed any Windows PC I'm using could have been rooted long ago
Corrected version:
I've always assumed any device with a closed-source OS/BIOS/firmware/other code I'm using could have been rooted long ago
There, fixed that for you.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Certainly the best way to eliminate this threat is to do away with the NTVDM altogether and use virtualization, similar to how Windows 7 Pro has "XP Mode." Microsoft should create a virtual HD (*.vhd) file with MS-DOS 6.22 installed on it and then offer it as a free download. Users could either use Virtual PC or the virtualization solution of their choice (VirtualBox, VMWare, etc).
DOSBox is also a decent solution, although it is geared more towards DOS games than to completely and accurately emulating MS-DOS.
Agreed on time to patch.
But comparing switching from Win2K to 7 to a simple Linux upgrade isn't fair. We're talking about 10 year old software here - as an example Ubuntu don't support simple in-place upgrades for anything more than a couple of years old (and while I'm no expert Debian seems to have similar multi-step upgrades for older versions). If you're running an OS from 2000 (of any type) and want to upgrade to the latest, you're basically looking at a wipe & reinstall regardless.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Perhaps MS should finally grow some balls and ditch legacy code. Just do it. It's not about what the customer thinks they want, it's about progress. Do it like Jobs.
That is all.
So, you mean to tell me Microsoft lied all those times they claimed Windows was rewritten? Didn't see that one coming...
Jason-Palmer.com
What is this, 2003?
I'm not getting a lot of these posts. Microsoft is a software business, not a computer science business. I think some of you may be confusing one for the other. This is par for the course.
yum update xorg-x11-drv-ati
There, that wasn't so hard, was it?
Does any major software still need the 16-bit subsystem?
Amusingly, when I first installed Windows NT 3.51, back around 1996, the 16-bit subsystem was optional, like the OS/2 subsystem, and I had it turned off. Everything worked fine. In NT 4, they let the kode kiddies from the Windows 95 group put legacy code into NT, some of which still ran in 16-bit mode, and the 16-bit subsystem was always on.
OK so it's not equivalent. It is more serious.
Nope, Linux can't even run a simple app that will run on every version of NT since 1993. Some OS Linux is.
And this is a bad thing?
Switching to a new version of Linux is not nearly as big of an undertaking.
Sure it's not.
http://linux.slashdot.org/linux/06/10/28/239258.shtml
http://www.theregister.co.uk/2009/11/03/karmic_koala_frustration/
This space for rent.
Good thing im running windows 7 64 bit then :)
Jack of all trades,master of none
...to run OS/2 Warp4. Yeppers.
YankDownUnder Veni, Vidi, volo in domum redire
I don't know about you, but I don't want all those unemployed former MS-programmers to get down to Linux.
It's alright. There's no possible way that will happen as Visual Studio still doesn't run in Linux, even under Wine. They'd all be too confused by the lack of magic code generating wizards, play buttons and twiddly knobs.
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
I'm running MS-DOS right now so I'm really getting a kick out of these comments.
I used to work for a large defense company. I won't say who, or what project, but think Raytheon (a good sized defense contractor) and set your sights a bit higher.
Our department had a product, and of all the arguments 'round the table about this and that, one that I tried to fight was a bug that could kernel panic the system, regardless of privileges (i.e. you can be any user on the system). Worse, this bug can be invoked on command line, locally. Worse, this command line was a simple derivative of a legit command given in the documentation for common use while using the system. Worse, this episode cemented and reinforced my perception of the evils of proprietary software production and allowing business rationale and management influence design decisions and implementations.
I lost, the bug was never fixed by the time I had left. Even with architecture changes with underlying hardware, the bug propagated through hardware and software product revisions.
Allow me to backtrack for one second. When I was starting out in software development, I got the greatest piece of advice from my then boss; who was and is a very adept engineer. I had to develop a domain whois CGI script, I chose to do it in C. (Follow me here, yeah perl/php/python/ada blah blah blah) Every time I submitted a revision, he broke it. Until one day he said, "If you are going to have an end-user give input, in any way, be prepared to parse and process anything. You can not assume the user even knows what domain syntax is." Basically, if you have the end-user type something on command line, into a input box, or some other text field, make no assumptions and be able to parse anything that might be managed to be inserted into that field.
My program grew thousands of lines once that sunk in. Error handling, string parsing, input validation and sanitation, is the input even ASCII...
So with this ingrained into my psyche, which I think is an extremely valuable concept when designing interactive software, now you can appreciate my frustration when I was told that the bug in question would not be dealt with because the command that invoked it wasn't verbatim with what the documentation said. In a nut shell, the following transpired:
Let's say I make 150 dollars an hour, and it takes me a day to investigate this bug, another day to fix it, and a few more hours to document this, and then we conduct regression testing to make sure changes don't have negative effects elsewhere in the program, that's quite a bit of money the company spends on this problem. If the change is found out by the government testers, then we stand a chance to have to face re-certification (or at least a long delay in current certification processes) which costs even more, not to mention potentially missing our mark for shipping to market resulting in irrecoverable and high lost opportunity costs (LOC). Now, let's say the help desk folks, who make 15 dollars an hour, simply guide the user to type the correct thing in (he spends five minutes doing this), or the end-user follows the documentation and does it himself. The bug never surfaces, and the company doesn't have to spend the extra money or face negative consequences.
They made their decision to ignore this problem using business rationale. I can not underestimate how pissed off I got over this issue, because our product was in use, in the field. It was a part of the military machine, and so lives are at stake as far as I'm concerned. Business rationale my ass, everyone there was salary and it's my opinion that the government get's shafted often by contractors as they attempt to recoup all costs by charging to a authorized project charge number for everything. So the company doesn't really pay the 150 dollars an hour to develop a broken feature, the taxpayer does. But this is how decisions are made when business philosophy interferes with logic, and while my bug won't likely cause an international tragedy, this exact same thing can be transposed over the events leading up to
I've tested the exploit in virtual machine in Windows 7 x32 and Windows XP SP3 and it doesn't work. These are default installs of OS with no config changes. When run in Windows 7 x32 as Administrator it did cause BSOD. Running as standard user it did nothing, the process supposed to have escalated priviliges did not. anybody else found it working?
Exactly. My POS '99 Ford Explorer has a cruise control recall due that apparently causes the car to explode in flames (their words). My point here is that I am sure Ford knew about the problem years in advance and finally broke out their profit/loss calculator after the law suits started piling up and decided it was time to fix it. Design flaws are here to stay, is this a surprise? A for profit company has different legal liabilities (both to the public and their shareholders) than an open source community has.
Are those 3D printers good enough that I can print off an Ubuntu 4-door hybrid yet?
I am a v1ral sig. Plse c0py me and h3lp me spread. Thank y0u?
Not really some architectures like arm doesn't have this bug (because page 0 is used for something else). ... dosemulator on x86 via vm86 [1].
Also one of the most use of mapping page0 is for running
So they seems related.
haha suckers your backdoors are getting less and less every day
soon there will be only one
I was just gonna say "Windows is insecure! Film at 11:00"
But your deeply insightful comment got me thinking and I've amended my response to "Windows sucks! Fuck off shill."
Just saying.
christ are you that dense? linux can do it, and can do it well.
Then run windows or use native linux/bsd apps, you wouldn't buy a mac and expect to run windows apps, or install windows and expect to run linux apps, the fact that wine is so complete and capable is quite remarkable and it gives operating systems that support it useful additional functionality, but it's not the only solution.
btw, what's enumlation?
Yeah, the quality of Microsoft's products is clearly due to programmer incompetence, it certainly has nothing to do with management or mis-prioritization. As we all know, management at Microsoft is composed of angels and benevolent demi-gods. If only those developers with hearts of pure evil would stop messing everything up...
and sitting in front of it. Windows is therefore vulernable to every user of Windows. So what makes you trust that everybody whos using Windows can be trusted not to exploit it? Why do they need to lock down desktops in corporate environments if everybody who uses Windows is trustworthy?
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
. 'Using code written for the VDM, an unprivileged user can inject code of his choosing directly into the system's kernel,
As if 99% of all Windows users aren't already running as root.
Summary of workaround for WinXP:
start->run->gpedit.msc
Navigate to:
Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Application Compatibility -> Prevent access to 16-bit applications
Select "enable".
The real question is, how do I secure my PC? And don't give me those Policy Groups buzzwords -- how many PC owners know what they mean? Criminy, tell us which files to rename, which registry keys to change, or which services to turn off -- give us something simple and effective.
I am using x64 so I am ok ;)
People who laughed at your comment also enjoyed the Jack Benny article on todays's front page.
"How long will we have to wait for MS to do anything about this one? Will they simply suggest people use 64-bit Windows?" - by aztektum (170569) on Wednesday January 20, @11:58AM (#30833872)
You've got a point on THAT much, this is certain (licensed Windows 7 64-bit user here)... Microsoft would do well by doing that, & probably spur/usher-in MORE "64-bit computing" on Personal Computers in doing so.
HOWEVER: This is all that users on Windows need to "adjust" (i.e.-> Simply "rip out" the DOS/Win16 subsystem basically) -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
(Iirc, that's where any "emulated" subsystems, such as POSIX, exist on ANY form of Windows NT-based OS'...)
APK
P.S.=> It's often suggested for security to do so for the POSIX subsystem, so, this is probably going to shortly be another such suggestion is my guess, for better security (assuming that using some old "legacy app" is not mandatory by a user or company that utilizes Windows)... apk
given enough eyeballs, all bugs are shallow
-Eric S. Raymond, The Cathedral and the Bazaar
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
great, I'll test this virus ASAP :-)